KES-Agent Beta | Demo

This is a demonstration of the main features of KES-Agent Key Evolving Signature (KES) cryptography is a cryptographic signing scheme where one verification key (VerKey) covers a series of signing keys (SignKey), such that: Any signature created with any of the SignKeys can be verified with the same VerKey. Future SignKeys can be derived ("evolved") from past ones, but not the other way around, up to a maximum number of evolutions. We use this in Cardano in order to achieve a degree of forward security: The original SignKey of each series of evolutions is verified with an OpCert, and installed into a Node. Every 36 hours (one "KES Period"), the Node evolves the SignKey, and deletes the old evolution. Once we reach the end of a key's series of evolutions, a new key and OpCert must be generated and installed. The KES Agent is an external process that retains a KES key in memory, and exchanges it with a locally connected Node. Great care is taken to make sure that keys are never stored on disk, and that the RAM they are stored in is protected against swapping out to disk ("mlocked"), and when sending keys over a network socket, we do it such that the keys are moved directly between mlocked memory and the socket file descriptors, without using any intermediate data structures for serialization/deserialization.